src/main/org/owasp/html/Sanitizers.java - platform/external/owasp/sanitizer - Git at Google

 // Copyright (c) 2011, Mike Samuel
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions
 // are met:
 //
 // Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 // Redistributions in binary form must reproduce the above copyright
 // notice, this list of conditions and the following disclaimer in the
 // documentation and/or other materials provided with the distribution.
 // Neither the name of the OWASP nor the names of its contributors may
 // be used to endorse or promote products derived from this software
 // without specific prior written permission.
 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 // POSSIBILITY OF SUCH DAMAGE.

 package org.owasp.html;

 /**
  * Pre-packaged HTML sanitizer policies.
  *
  * <p>
  * These policies can be used to sanitize content.
  * </p>
  * <pre>
  *   Sanitizers.FORMATTING.sanitize({@code "<b>Hello, World!</b>"})
  * </pre>
  * and can be chained
  * <pre>
  *   PolicyFactory sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS);
  *   System.out.println(sanitizer.sanitize({@code "<p>Hello, <b>World!</b>"}));
  * </pre>
  *
  * <p>
  * For more fine-grained control over sanitization, use
  * {@link HtmlPolicyBuilder}.
  * </p>
  *
  * @author Mike Samuel <mikesamuel@gmail.com>
  */
 public final class Sanitizers {

   /**
    * Allows common formatting elements including {@code <b>}, {@code <i>}, etc.
    */
   public static final PolicyFactory FORMATTING = new HtmlPolicyBuilder()
       .allowCommonInlineFormattingElements().toFactory();

   /**
    * Allows common block elements including <code>&lt;p&gt;</code>,
    * <code>&lt;h1&gt;</code>, etc.
    */
   public static final PolicyFactory BLOCKS = new HtmlPolicyBuilder()
       .allowCommonBlockElements().toFactory();

   /**
    * Allows certain safe CSS properties in {@code style="..."} attributes.
    */
   public static final PolicyFactory STYLES = new HtmlPolicyBuilder()
       .allowStyling().toFactory();

   /**
    * Allows HTTP, HTTPS, MAILTO, and relative links.
    */
   public static final PolicyFactory LINKS = new HtmlPolicyBuilder()
       .allowStandardUrlProtocols().allowElements("a")
       .allowAttributes("href").onElements("a").requireRelNofollowOnLinks()
       .toFactory();

   private static final AttributePolicy INTEGER = new AttributePolicy() {
     public String apply(
         String elementName, String attributeName, String value) {
       int n = value.length();
       if (n == 0) { return null; }
       for (int i = 0; i < n; ++i) {
         char ch = value.charAt(i);
         if (ch == '.') {
           if (i == 0) { return null; }
           return value.substring(0, i);  // truncate to integer.
         } else if (!('0' <= ch && ch <= '9')) {
           return null;
         }
       }
       return value;
     }
   };

   /**
    * Allows {@code <img>} elements from HTTP, HTTPS, and relative sources.
    */
   public static final PolicyFactory IMAGES = new HtmlPolicyBuilder()
       .allowUrlProtocols("http", "https").allowElements("img")
       .allowAttributes("alt", "src").onElements("img")
       .allowAttributes("border", "height", "width").matching(INTEGER)
           .onElements("img")
       .toFactory();

   private Sanitizers() {
     // Uninstantiable.
   }
 }
	// Copyright (c) 2011, Mike Samuel
	// All rights reserved.
	//
	// Redistribution and use in source and binary forms, with or without
	// modification, are permitted provided that the following conditions
	// are met:
	//
	// Redistributions of source code must retain the above copyright
	// notice, this list of conditions and the following disclaimer.
	// Redistributions in binary form must reproduce the above copyright
	// notice, this list of conditions and the following disclaimer in the
	// documentation and/or other materials provided with the distribution.
	// Neither the name of the OWASP nor the names of its contributors may
	// be used to endorse or promote products derived from this software
	// without specific prior written permission.
	// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
	// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
	// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
	// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
	// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
	// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
	// POSSIBILITY OF SUCH DAMAGE.

	package org.owasp.html;

	/**
	* Pre-packaged HTML sanitizer policies.
	*
	* <p>
	* These policies can be used to sanitize content.
	* </p>
	* <pre>
	* Sanitizers.FORMATTING.sanitize({@code "<b>Hello, World!</b>"})
	* </pre>
	* and can be chained
	* <pre>
	* PolicyFactory sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS);
	* System.out.println(sanitizer.sanitize({@code "<p>Hello, <b>World!</b>"}));
	* </pre>
	*
	* <p>
	* For more fine-grained control over sanitization, use
	* {@link HtmlPolicyBuilder}.
	* </p>
	*
	* @author Mike Samuel <mikesamuel@gmail.com>
	*/
	public final class Sanitizers {

	/**
	* Allows common formatting elements including {@code <b>}, {@code <i>}, etc.
	*/
	public static final PolicyFactory FORMATTING = new HtmlPolicyBuilder()
	.allowCommonInlineFormattingElements().toFactory();

	/**
	* Allows common block elements including <code><p></code>,
	* <code><h1></code>, etc.
	*/
	public static final PolicyFactory BLOCKS = new HtmlPolicyBuilder()
	.allowCommonBlockElements().toFactory();

	/**
	* Allows certain safe CSS properties in {@code style="..."} attributes.
	*/
	public static final PolicyFactory STYLES = new HtmlPolicyBuilder()
	.allowStyling().toFactory();

	/**
	* Allows HTTP, HTTPS, MAILTO, and relative links.
	*/
	public static final PolicyFactory LINKS = new HtmlPolicyBuilder()
	.allowStandardUrlProtocols().allowElements("a")
	.allowAttributes("href").onElements("a").requireRelNofollowOnLinks()
	.toFactory();

	private static final AttributePolicy INTEGER = new AttributePolicy() {
	public String apply(
	String elementName, String attributeName, String value) {
	int n = value.length();
	if (n == 0) { return null; }
	for (int i = 0; i < n; ++i) {
	char ch = value.charAt(i);
	if (ch == '.') {
	if (i == 0) { return null; }
	return value.substring(0, i); // truncate to integer.
	} else if (!('0' <= ch && ch <= '9')) {
	return null;
	}
	}
	return value;
	}
	};

	/**
	* Allows {@code <img>} elements from HTTP, HTTPS, and relative sources.
	*/
	public static final PolicyFactory IMAGES = new HtmlPolicyBuilder()
	.allowUrlProtocols("http", "https").allowElements("img")
	.allowAttributes("alt", "src").onElements("img")
	.allowAttributes("border", "height", "width").matching(INTEGER)
	.onElements("img")
	.toFactory();

	private Sanitizers() {
	// Uninstantiable.
	}
	}